ArcGIS for Server

Securing your ArcGIS Server site

When you install ArcGIS Server, you will find the following:

ArcGIS Server initially has only one account, the primary site administrator you specified when you created your site.
This is not a Linux account; it's an account that is
used only for logging in to ArcGIS Server.

All
administration and publishing operations are initially secure and can be
performed only by the primary site administrator.

All
services are publicly accessible.

Most functionality is open (not locked down).

These settings are usually sufficient for organizations that are
deploying ArcGIS Server for their own department's use. If you are
using ArcGIS Server in an enterprise, a highly secure environment,
or serving to the Internet, you will want to configure ArcGIS Server
security further. The topics in this help book will help you do the following:

Limit who can access your services

Log
who is using your services

Control who can administer and publish to your ArcGIS Server

Encrypt ArcGIS Server communications

GIS web services allow many operations that take user input, such as queries, edits, feature attachments, and so forth. Esri performs periodic security audits to test its software for vulnerabilities to SQL injection and other forms of attacks that could come through user input. Additionally, service administrators are given options to disable queries, downloads, and uploads for individual services.

In order to reduce the vulnerability of your server, you should follow best practices such as allowing only the minimum necessary privileges to the ArcGIS Server account. Some of these recommendations are outlined in Best practices for configuring a secure environment.